The ES docs for TLS/SSL post 6.x were not complete and lacking many details when this work was done.

Many issues were encountered which required ES support to provide steps as new 6.x+ docs were lacking.

Thanks to their support for assisting.

Highly recommend using PEM format for certs!

We could not use PKCS#12 as this cert format does NOT work with remote curl commands.

On that note, currently Kibana must use PEM AFAIK.

This may have changed, but at that time we couldn't use passphrase on PEM cert unless we included it in the
elasticsearch.yml file (docs did not state this). YMMV.

kitchen

Currently requires using Kitchen Vagrant due to required host name changes, etc.

Using kitchen docker has been unstable and unreliable for td_elasticsearch on my mac and therefore was forced
to stop using it--vagrant just works for me. In addition we need to take actions based on hostname,
which is difficult to do/support with Docker.

AWS TLS/SSL configuration, testing and validation really can't be done locally so we do some but not all.

AWS EC2 ES cluster node discovery cannot be tested locally.

Pre node/cluster deployment requirements

Note: (see Elasticsearch, Kibana, and cerbro docs for more details on how to create/configure TLS/SSL certs, etc.)

There is quite a lot to understand, configure, and do to support TLS for ES--and is outside scope of this doc.

Licensing nodes/cluster

We have this automated but currently disabled and are just doing this simple step manually, the requisite license file is delivered to /var/tmp
Optionally, you could omit the password and enter it in interactively when you execute the command